EP3902205A1 - Real-time computer system and method for controlling a system or a vehicle - Google Patents

Abstract

The invention relates to a real-time computer system (100) for controlling a technical device, the real-time computer system comprising data acquisition components (101, 102, 103) which are independent of one another, as well as insecure data processing components (121, 132, 143) for processing sensor data. A time server (115) and a first communication system (110) and a second communication system (111) independent of it are provided, the time server (115) periodically sending global time signals to the communication systems. Each data acquisition component (101, 102, 103) has two communication controllers (192), each data acquisition component (101, 102, 103) with two communication controllers (192) via a communication line (191) to the first communication system (110) and with the other communication controller (192 ) is connected to the second communication system (111 ) via a communication line (191) so that each data acquisition component (101, 102, 103) can transmit its sensor data to each of the two communication systems (110, 111) , and each data processing component (121, 132, 143 ) has two communication controllers (192) , each data processing component (121, 132, 143) with one of the two communication controllers (192) via a communication line (191) to the first communication system (110) and with the other communication controller (192) via a Communication line (191) is connected to the second communication system (111) t, so that each communication system (110, 111) can transmit the sensor data received from the data acquisition components (101, 102, 103) to each of the data processing components (121, 132, 143) , so that each data processing component (121, 132, 143) can process the received sensor data .

Description

The invention relates to a real-time computer system, in particular a distributed real-time computer system, for controlling a technical device, e.g. a technical system or a machine, such as a robot or a vehicle, in particular a motor vehicle, the real-time computer system comprising data acquisition components that are independent of one another, the data acquisition components are set up for the acquisition of sensor data, and includes data processing components for processing the sensor data.

The invention further relates to a method for the automated control of a technical device, e.g. a technical installation or a machine, such as a robot or a vehicle, in particular a motor vehicle, using such a real-time computer system, in particular an autonomous real-time computer system.

The invention is in the field of computer technology. It describes an automation system or an architecture of such an automation system and a method for the safe, autonomous operation of a technical device, e.g. a technical installation or a machine, such as a robot or a vehicle, in particular a motor vehicle.

The autonomous operation of a technical device, for example a technical system or a machine such as a robot or a vehicle, in particular a motor vehicle, requires a real-time computer system that monitors the environment of the machine or system with sensors by means of a process model running on the real-time computer system the management of a process is calculated and the sequence of the physical processes is influenced via actuators. The environment can be observed, for example, with optical sensors (cameras), LIDAR, radar sensors and various other sensors. The evaluation of the sensor data, the data fusion of the sensor data and the creation of the necessary environmental models as well as the planning of the desired process flow require complex software components with millions of commands.

In many applications, for example the autonomous control of a vehicle, a system error that occurs in the real-time computer system can have serious effects. Such an error can be triggered by a transient or permanent failure of the hardware of a component or by a defect in the software (design error). In safety-critical applications it is required that the mean time to fail ( MTTF ) of a serious failure at the system level must be ^{greater than 10 9 hours.}

The ISO standard ISO 26262 on functional safety for the development, testing and certification of software in safety-relevant applications in the automotive industry introduces four ASIL ( Automotive Safety Integrity Levels ) safety levels, ASIL A (lowest safety level), ASIL B, ASIL C and ASIL D (highest Security_level).

It is assumed that with complex software components with millions of commands, even with a rigorous development process and after very extensive tests, the required reliability of 10 ^-9 failures / hour (corresponds roughly to the requirements of ASIL D) cannot be achieved. In addition to software errors, the effects of transient and permanent hardware errors must also be taken into account in a software / hardware (SW / HW) component. The effects of a transient hardware failure are often indistinguishable from the effects of a software failure during operation.

It is an object of the invention to provide a real-time computer system for controlling a technical device.

• Datenerfassungskomponenten unsichere Komponenten sind,
• das Echtzeitcomputersystem weiters einen Zeitserver sowie ein erstes Kommunikationssystem und ein zweites Kommunikationssystem umfasst,
• wobei der Zeitserver dazu eingerichtet ist, globale Zeitsignale periodisch über eine oder mehrere unidirektionale Kommunikationsleitungen an das erste Kommunikationssystem und über eine oder mehrere unidirektionale Kommunikationsleitungen an das zweite Kommunikationssystem zu senden,
• wobei die Kommunikationssysteme voneinander unabhängig sind,
• und wobei jede Datenerfassungskomponente über mindestens zwei, vorzugsweise genau zwei Kommunikationskontroller verfügt, wobei jede Datenerfassungskomponente mit einem der zumindest zwei Kommunikationskontroller über zumindest eine, vorzugsweise genau eine Kommunikationsleitung an das erste Kommunikationssystem und mit einem anderen der zumindest zwei Kommunikationskontroller über zumindest eine, vorzugsweise genau eine Kommunikationsleitung an das zweite Kommunikationssystem angeschlossen ist, sodass jede Datenerfassungskomponente seine Sensordaten an jedes der zumindest zwei Kommunikationssysteme übertragen kann bzw. überträgt,
• und wobei jede Datenverarbeitungskomponente über mindestens zwei, vorzugsweise genau zwei Kommunikationskontroller verfügt, wobei jede Datenverarbeitungskomponente mit einem der zumindest zwei Kommunikationskontroller über zumindest eine, vorzugsweise genau eine Kommunikationsleitung an das erste Kommunikationssystem und mit einem anderen der zumindest zwei Kommunikationskontroller über zumindest eine, vorzugsweise genau eine Kommunikationsleitung an das zweite Kommunikationssystem angeschlossen ist, sodass jedes Kommunikationssystem die von den Datenerfassungskomponenten empfangenen Sensordaten an jede der Datenverarbeitungskomponenten übertragen kann bzw. überträgt,

sodass jede Datenverarbeitungskomponente die empfangenen Sensordaten verarbeiten kann.The invention proposes a real-time computer system in which it is provided according to the invention that

• Data acquisition components are insecure components,
• the real-time computer system further comprises a time server and a first communication system and a second communication system,
• wherein the time server is set up to periodically send global time signals to the first communication system via one or more unidirectional communication lines and to the second communication system via one or more unidirectional communication lines,
• whereby the communication systems are independent of each other,
• and each data acquisition component has at least two, preferably exactly two communication controllers, each data acquisition component with one of the at least two communication controllers via at least one, preferably exactly one communication line to the first communication system and with another of the at least two communication controllers via at least one, preferably exactly one Communication line is connected to the second communication system, so that each data acquisition component can or will transmit its sensor data to each of the at least two communication systems,
• and each data processing component has at least two, preferably exactly two communication controllers, each data processing component with one of the at least two communication controllers via at least one, preferably exactly one communication line to the first communication system and with another of the at least two communication controllers via at least one, preferably exactly one Communication line is connected to the second communication system, so that each communication system can transmit or transmits the sensor data received from the data acquisition components to each of the data processing components,

so that each data processing component can process the received sensor data.

• Vorzugsweise ist der Zeitserver fehlertolerant.
• Eine, insbesondere jede Datenverarbeitungskomponente, kann aus Verarbeitungs-Unterkomponenten, VUK, bestehen oder VUKs umfassen, die dazu eingerichtet sind, über ein nicht redundantes, unterlagertes Echtzeitkommunikationssystem, ein sogenanntes Echtzeit-Unterkommunikationssystem Echtzeitdaten auszutauschen, wobei das Echtzeit-Unterkommunikationssystem bzw. eine Nachrichtenverteilereinheit des Echtzeit-Unterkommunikationssystems, welche die an die Datenverarbeitungskomponente übertragenen Sensordaten übernimmt, über mindestens zwei Kommunikationskontroller verfügt, wobei einer der zumindest zwei Kommunikationskontroller dazu eingerichtet ist, die Sensordaten von dem ersten Kommunikationssystem zu übernehmen und ein anderer Kommunikationskontroller der zumindest zwei Kommunikationskontroller dazu eingerichtet ist, die Sensordaten von dem zweiten Kommunikationssystem zu übernehmen, und wobei das Echtzeit-Unterkommunikationssystem bzw. eine Nachrichtenverteilereinheit des Echtzeit-Unterkommunikationssystems einen weiteren Kommunikationskontroller umfasst, mit welchem sie mit einem.
• Die zumindest zwei Kommunikationssysteme des Echtzeitkommunikationssysteme sind vorzugsweise zeitgesteuert.
• Das Echtzeitcomputersystem oder die zumindest zwei unabhängigen Kommunikationssysteme können dazu eingerichtet sein, die Sensordaten an zumindest zwei oder mehr Datenverarbeitungskomponenten rückkopplungsfrei zu übertragen.
• Die Verbindungsleitungen zwischen den Datenerfassungskomponenten und/oder Datenverarbeitungskomponenten einerseits und den Kommunikationssystemen andererseits sind vorzugsweise galvanisch getrennt.
• Vorzugsweise kann eine Datenverarbeitungskomponente direkt auf einen Sensor zugreifen, der nur dieser Datenverarbeitungskomponente zugeordnet ist.
• Es kann vorgesehen sein, dass das Echtzeitcomputersystem eine Entscheidungskomponente umfasst, wobei jede Datenerfassungskomponente an diese Entscheidungskomponente angeschlossen ist, wobei vorzugsweise die Entscheidungskomponente fehlertolerante Hardware umfasst, auf welcher eine einfache Software ausgeführt wird.
• Es kann vorgesehen sein, dass eine Datenverarbeitungskomponente, welche eine Verletzung der Annahmen betreffend das spezifizierte Operational Design Domain (ODD) erkennt, dies an die Entscheidungskomponente mitteilt.
• Es kann vorgesehen sein, dass Funktionen, insbesondere alle Funktionen der Berechnung einer Trajektorie durch eine erste, insbesondere unsichere Datenverarbeitungskomponente, eine Überprüfung der Sicherheit dieser berechneten Trajektorie ausschließlich durch eine zweite, insbesondere unsichere Datenverarbeitungskomponente, und die Berechnung einer Notfalltrajektorie ausschließlich durch eine dritte, insbesondere unsichere Datenverarbeitungskomponente durchgeführt wird, und vorzugsweise eine Entscheidungsfindung, ob ein Fehler vorliegt, durch eine, vorzugsweise einfache Entscheidungskomponente durchgeführt wird. Die Ermittlung der Trajektorie und Überprüfung der Trajektorie sind somit voneinander klar getrennt.

Advantageous embodiments of the invention, each of which can be implemented alone or in any combination with one another, are described below:

• The time server is preferably fault tolerant.
• One, in particular each data processing component, can consist of processing sub-components, VUK, or comprise VUKs that are set up to exchange real-time data via a non-redundant, subordinate real-time communication system, a so-called real-time sub-communication system, whereby the real-time sub-communication system or a message distribution unit of the Real-time sub-communication system, which accepts the sensor data transmitted to the data processing component, has at least two communication controllers, one of the at least two communication controllers being set up to accept the sensor data from the first communication system and another communication controller of the at least two communication controllers being set up to use the To take over sensor data from the second communication system, and wherein the real-time sub-communication system or a message distribution unit of the real-time sub-com communication system comprises a further communication controller, with which it is with a.
• The at least two communication systems of the real-time communication system are preferably time-controlled.
• The real-time computer system or the at least two independent communication systems can be set up to transmit the sensor data to at least two or more data processing components without feedback.
• The connecting lines between the data acquisition components and / or data processing components on the one hand and the communication systems on the other hand are preferably galvanically isolated.
• A data processing component can preferably access a sensor which is only assigned to this data processing component.
• It can be provided that the real-time computer system comprises a decision component, each data acquisition component being connected to this decision component, the decision component preferably including fault-tolerant hardware on which simple software is executed.
• Provision can be made for a data processing component which detects a violation of the assumptions relating to the specified Operational Design Domain (ODD) to notify the decision-making component.
• It can be provided that functions, in particular all functions of the computation of a trajectory by a first, in particular insecure data processing component, a check of the security of this calculated trajectory exclusively by a second, in particular insecure data processing component, and the computation of an emergency trajectory exclusively by a third, in particular insecure data processing component is carried out, and preferably a decision as to whether there is an error is carried out by a, preferably simple decision component. The determination of the trajectory and the checking of the trajectory are thus clearly separated from one another.

• Zustand 301: die technische Vorrichtung befindet sich in einem ersten sicheren Zustand, in welchem ein Operator die Kontrolle über die technische Vorrichtung ausüben kann;
• Zustand 302: das Echtzeitcomputersystem funktioniert teilautonom und wird vom Operator kontinuierlich überwacht;
• Zustand 303: das Echtzeitcomputersystem führt die technische Vorrichtung autonom;
• Zustand 304: das Echtzeitcomputersystem ist fehlerhaft;
• Zustand 305: die technische Vorrichtung in befindet sich in einem zweiten sicheren Zustand 305, in welchen sie von dem Echtzeitcomputersystem durch ein Minimum Risk Manöver (MRM) gebracht wird, wobei in dem zweiten sicheren Zustand 305 der Operator die Kontrolle über die technische Vorrichtung nicht hat, diese aber übernehmen kann,

wobei ein Übergang zwischen den Systemzuständen jeweils durch eine oder mehreren Zustandsübergänge erfolgt, und wobei ein Fehler durch die Entscheidungskomponente erkannt wird, und das Echtzeitcomputersystem von dem autonomen Betrieb in den Fehlzustand schaltet, und das Echtzeitcomputersystem mittels der Datenverarbeitungskomponente die technische Vorrichtung in den sicheren Zustand bringt.The invention also relates to a method mentioned at the outset in which the real-time computer system can assume various system states, in particular at least the following system states:

• State 301: the technical device is in a first secure state in which an operator can exercise control over the technical device;
• State 302: the real-time computer system functions partially autonomously and is continuously monitored by the operator;
• State 303: the real-time computer system runs the technical device autonomously;
• State 304: the real-time computer system is faulty;
• State 305: the technical device in is in a second secure state 305 in which it is controlled by the real-time computer system by a minimum Risk maneuver (MRM) is carried out, whereby in the second safe state 305 the operator does not have control over the technical device, but can take over it,

A transition between the system states is made by one or more state transitions, and an error is detected by the decision-making component, and the real-time computer system switches from autonomous operation to the faulty state, and the real-time computer system uses the data processing component to bring the technical device into the safe state .

• Eine Komponente ist eine Hardware/Software Einheit, die auf einer Betrachtungsebene eine spezifizierte Serviceleistung erbringt. Die Verarbeitung und der Transport von Daten sind Serviceleistungen, die von Komponenten erbracht werden.
• Der Begriff Komponente ist vorzugsweise rekursiv zu verstehen, d.h. die innere Struktur einer Komponente kann auf einer (oder mehreren) unterliegenden Betrachtungsebenen dargestellt werden. Die spezifizierten Serviceleistungen einer Komponente können auf der unterliegenden (detaillierteren) Betrachtungsebene durch eine Kombination von (unterliegenden) Komponenten erbracht werden.
• Es gibt zwei Arten von Komponenten: sichere Komponenten und unsichere Komponenten.
• Eine sichere Komponente beinhaltet eine Software, die nach den Regeln von ASIL D entwickelt wurde (= einfache Software). Eine einfache Software muss auf einer fehlertoleranten Hardware ausgeführt werden, um eine sichere Komponente zu bilden.
• Sichere Komponenten entsprechen den höchsten Sicherheitsanforderungen. In Fig. 1 sind die sicheren Komponenten durch einen doppelten Rahmen gekennzeichnet.
• Nicht fehlertolerante Hardware ist unsicher.
• Ein nicht-redundanter Sensor ist unsicher.
• Ein Ausfall einer unsicheren Komponente darf zu keinem sicherheitsrelevanten Ereignis auf Systemebene führen.

The proposed, in particular fault-tolerant real-time computer system for the safe automatic operation of a machine or a vehicle is based on the following design principles:

• A component is a hardware / software unit that provides a specified service on one level. The processing and transport of data are services provided by components.
• The term component is preferably to be understood recursively, ie the internal structure of a component can be represented on one (or more) underlying observation levels. The specified services of a component can be provided on the underlying (more detailed) observation level through a combination of (underlying) components.
• There are two types of components: safe components and unsafe components.
• A safe component includes software that was developed according to the rules of ASIL D (= simple software). Simple software must run on fault-tolerant hardware in order to form a safe component.
• Safe components meet the highest security requirements. In Fig. 1 the safe components are identified by a double frame.
• Hardware that is not fault tolerant is unsafe.
• A non-redundant sensor is unsafe.
• A failure of an unsafe component must not lead to a security-relevant event at the system level.

The mean time to fail (MTTF) of a safe component is ^{assumed to be 10 8} to 10 ⁹ hours. This value results from a rigorous development process of a simple software according to ASIL D, so that all design errors can be eliminated during the system development and from the prescribed hardware redundancy, which masks a single fault in the hardware.

If a component does not meet the criteria for being a safe component described above, it is an unsafe component.

The mean time to fail (MTTF) of an unsafe component is ^{assumed to be 10 4} to 10 ⁵ hours. This value can be determined experimentally through particularly careful development in accordance with ASIL B and extensive testing in the field and through simulation. The high level of reliability required at the system level can be achieved through an appropriate arrangement of redundant, unsafe components in the system architecture.

The subject of the arrangement of unsafe components is dealt with in the ISO 26262 standard. If, for example, two ASIL B components have to fail for a system failure to occur, the probability of a system failure is set to the level of an ASIL D component.

With the present invention, the proportion of the hardware of the sensors and of the communication system that have to be implemented redundantly is minimized, so that the system costs can be kept low.

• Fig. 1 die Struktur eines erfindungsgemäßen Echtzeitcomputersystems,
• Fig. 2 die innere Struktur einer Komponente des Echtzeitcomputersystems aus Figur 1,
• Fig. 3 Systemzustände und Zustandsübergänge in einem solchen Echtzeitcomputersystem,
• Fig. 4 ein Beispiel eines Zeitservers mit vier internen Komponenten,
• Fig. 5 die Struktur eines verteilten Echtzeitcomputersystems mit vier Computern, die von einem fehlertoleranten Zeitserver gemäß Figur 4 mit periodischen externen Synchronisationsnachrichten versorgt werden,
• Fig. 6 eine weitere Ausgestaltungsmöglichkeit eines Zeitservers,
• Fig. 7 einen Zeitserver mit einem Empfänger zum Empfang von GPS Signalen zur Synchronisation der globalen Zeit mit der GPS Zeit, und
• Fig. 8 einen Zeitserver gemäß Figur 7 mit Sensoren zur Erfassung des Zustandes der Umwelt.

The invention is discussed in more detail with reference to the drawing and illustrates one of the many possible forms of the invention. It shows

• Fig. 1 the structure of a real-time computer system according to the invention,
• Fig. 2 the internal structure of a component of the real-time computer system Figure 1 ,
• Fig. 3 System states and state transitions in such a real-time computer system,
• Fig. 4 an example of a time server with four internal components,
• Fig. 5 the structure of a distributed real-time computer system with four computers, supported by a fault-tolerant time server according to Figure 4 are supplied with periodic external synchronization messages,
• Fig. 6 another design option for a time server,
• Fig. 7 a time server with a receiver for receiving GPS signals to synchronize the global time with the GPS time, and
• Fig. 8 a time server according to Figure 7 with sensors to record the state of the environment.

Figure 1 shows an exemplary automation system or real-time computer system 100, which includes data acquisition components (hereinafter also referred to as “sensor components”) 101, 102, 103, sensor component 101 being a sensor 161, sensor component 102 being a sensor 162, and sensor component 103 being a sensor 163 includes. Furthermore, the real-time computer system 100 comprises a first time-controlled communication system 110 and a second time-controlled communication system 111, as well as data processing components, in the example shown three data processing components 121, 132, 143, as well as a decision component 150 and an actuator 170.

Furthermore, the real-time computer system 100 comprises a time server, preferably a fault-tolerant time server 115, which will be discussed in greater detail below.

The decision component 150 consists of fault-tolerant hardware with simple software which is developed according to ASIL D or which corresponds to ASIL D, and is therefore assumed to be safe.

Each component 101, 102, 103, 150, 121, 132, 143 and the time-controlled communication systems 110, 111 and the time server 115 have communication controllers 192, which form the end points of communication lines 191, 194, 195. All communication lines 191, 194, 195 preferably have galvanic interruptions 193, which prevent the propagation of a hardware error.

The decision component 150 and preferably the time server 115 are secure. All other listed components can be unsafe.

The fault-tolerant time server 115 provides a fault-tolerant global time, in particular a fault-tolerant sparing global time, i.e. a global time that is sparing [Kop11, p. 64]. The fault-tolerant time server 115 is connected to the first time-controlled communication system 110 via the communication line 194 and to the second time-controlled communication system 111 via the communication line 195, so that the two communication systems 110, 111 have access to global time, in particular the sparse global time.

All the components listed have access to a fault-tolerant, sparse global time [Kop11, p. 64], which is made available by the time-controlled communication systems 110, 111. As explained above, the fault-tolerant global time is provided by the secure fault-tolerant time server 115 and periodically transmitted to the time-controlled communication system 110 via the communication line 194 and periodically via the communication line 195 to the time-controlled communication system 111 and distributed by the communication systems 110, 111. The lines are preferably designed only in a single manner, since the communication systems 110, 111 are insecure.

The safe, fault-tolerant time server 115 preferably has at least four independent clock generators (oscillators) in order to be able to tolerate a Byzantine fault of a clock generator [Pea80].

The transmission of data from the communication systems 110, 111 to the data processing components 121, 132, 143 takes place without feedback in only one direction from the communication systems 110, 111 to the Data processing components 121, 132, 143. Error propagation from the data processing components 121, 132, 143 to the communication systems 110, 111 and thus to the sensor components 101, 102, 103 is therefore not possible. It is known to the person skilled in the art how feedback-free communication can be established, for example through unidirectional communication channels, through the arrangement of diodes in the transmission lines, or through measures in the software.

A transmission of data from the communication systems 110, 111 to the sensor components 101, 102, 103 is, however, possible - at least for the transmission of the global time.

The sensor data preferably preprocessed in the sensor components 101, 102, 103 are transmitted from the two time-controlled communication systems 110, 120 to the data processing components 121, 132, 143. In the normal case, i.e. in the error-free case, the sensor data of each sensor component 101, 102, 103 are transmitted via each of the two communication systems 110, 111 to each of the data processing components 121, 132, 143. It is assumed that the sensors 161, 162, 163 observe the environment, e.g. using different redundant methods, and thus the failure of a sensor 161, 162, 163 or a sensor component 101, 102, 103 can be tolerated. The failure of one of the two communication systems 110, 111 can be tolerated since all components are connected to both communication systems.

In autonomous driving, the term trajectory of a vehicle describes the path that the vehicle follows as a function of time. The term trajectory is also applicable to the movement of a robotic arm.

A trajectory describes the career - that is a smooth curve - of a moving object, as well as the target speeds and the times that the object reaches at waypoints on the career.

Each trajectory is characterized by a number of properties. Examples of the properties of a trajectory are: the speed of the object, the centrifugal force that acts on the object, or the distance between a waypoint and an obstacle.

A safe trajectory is characterized in that important properties of the trajectory lie within intervals of predetermined limit values. A property is important when exceeding a limit value of this property can lead to an unintended event - an accident. For example, the limit value for the centrifugal force that acts on a moving object is an important property. In the case of a vehicle, this limit value depends on the one hand on the object (the speed of the vehicle) and on the other hand on the condition of the surroundings (condition of the road - dry, wet or icy).

In a vehicle, the two properties, steering angle and (positive or negative) acceleration - we refer to these two properties as essential properties of a trajectory - are of particular importance, since the steering angle and acceleration are determined by the real-time computer system. The data processing component 132 must therefore provide the limit values of these essential properties for the coming waypoint of each safe trajectory.

In certain traffic situations, several mutually exclusive trajectories can be safe. For example, a rock in the middle of a wide road can be turned either left or right, or the vehicle can be stopped immediately in front of the rock. Since the data processing component 132 has no information about which of these trajectories was planned by the data processing component 121, the data processing component 132 must calculate the essential properties of all safe trajectories that come into question at a point in time.

A safe enclosure is the compilation of all limit values for the essential properties of all safe trajectories. A planned trajectory is safe if the essential properties of the trajectory lie within the intervals that are specified by the safe envelope.

In the case of autonomous driving, a data processing component, in the specific example the data processing component 121, calculates a planned trajectory of the vehicle, taking into account the wishes of the driver and the given environmental conditions detected by the sensors.

A data processing component, here the data processing component 132, calculates a safe envelope for all safe trajectories and checks whether the surroundings of the vehicle correspond to the specification of the Operational Design Domain (ODD). An ODD specification indicates the specified conditions under which autonomous driving of a vehicle is possible. E.g. it can be specified that snowfall is not provided for in the ODD, since adhering snow causes a sensor to fail temporarily. The data processing component 132, which determines a safe envelope of all safe trajectories, must at least be developed according to the guidelines of ASIL B.

Another data processing component, here the data processing component 143, calculates an emergency trajectory which guides the vehicle into a safe state after a fault has been recognized. The emergency trajectory must lead the vehicle to a safe state under all circumstances, including outside the specified ODD. The data processing component 143 must at least be developed according to the guidelines of ASIL B, it being sufficient if it is developed according to ASIL B. The service of the data processing component 143 is only required if there is an error in the data processing component 121 or an error in the data processing component 132.

The safe decision component 150 - simple software, developed according to ASIL D on fault-tolerant hardware - decides whether the trajectory calculated by the data processing component 121 lies within the safe envelope provided by the data processing component 132. If this is the case, the trajectory calculated by the data processing component 121 is transferred to an actuator 170 for execution. If the calculated trajectory does not lie within the safe enclosure, the decision component 150 will attempt to guide the vehicle into a safe state using the emergency trajectory calculated by the data processing component 143.

Alternatively, for example in the case of a robot controller, the decision component 150 can stop the movement sequence if the trajectory calculated by the data processing component 121 does not lie within the secure enclosure that was calculated by the data processing component 132. In this case, the data processing component 143 is not required.

Corresponding Figure 2 A data processing component, for example the data processing component 121, can have a hierarchical structure and consist of (subordinate) processing components 222, 223, 224, the so-called processing subcomponents ("VUK") (or several VUKs), or comprise these, which are implemented by means of a subordinate time-controlled communication system (hereinafter "communication subsystem") 229 Exchange data. Since the data processing component 121 as a whole is insecure, a simple communication subsystem 229 is sufficient to transfer the data between the VUKs 222, 223, 224. However, it is important that the time-controlled communication subsystem 229 is connected to the two independent communication systems 110, 111 ( Figure 1 ) of the real-time computer system 100 is connected in order to mask an error in one of these two communication systems 110, 111. The line 210 in Figure 2 corresponds to the line 191 from Figure 1 Connecting the component 121 to the communication system 110, the conduit 211 in Figure 2 corresponds to line 191 Figure 1 Connecting the component 121 to the communication system 111

The communication subsystem of the data processing component 121 is connected to the decision component 150 (see FIG Figure 1 ) tied together. The line 219 in Figure 2 corresponds to line 191 Figure 1 Connecting the component 121 to the decision component 150th

Likewise, the data processing component 132 and / or the data processing component 143 can have a hierarchical structure.

Corresponding Figure 2 A data processing component can also have one or more sensors of its own which is / are only assigned to this one data processing component, e.g. a sensor 261 which is coupled to the time-controlled communication subsystem 229 of the data processing component 121 via a sensor component 201.

For example, the sensor 261 can be an (additional) camera which improves the functionality of the corresponding data processing component 121 or a Minimum function enabled, for example if both communication systems 110, 111 have failed.

Figure 3 shows a state transition diagram in the case of autonomous driving of a vehicle.

• Zustand 301: das Fahrzeug befindet sich in einem sicheren Zustand, in welchem der Fahrer die Kontrolle über das Fahrzeug ausüben kann.
• Zustand 302: das Echtzeitcomputersystem wird vom Fahrer überwacht.
• Zustand 303: das Echtzeitcomputersystem führt das Fahrzeug autonom.
• Zustand 304: das autonome Echtzeitcomputersystem ist fehlerhaft.
• Zustand 305: das autonome Echtzeitcomputersystem führt ein Minimum Risk Manöver (MRM) aus, um das Fahrzeug in einen sicheren Zustand 305 zu führen. Der Zustand 304 bedeutet den Fehlzustand, während dem das MRM ausgeführt wird. Zustand 304 beginnt mit dem Auftreten des Fehlers und endet mit dem sicheren Zustand 305. Im Zustand 305 steht das Fahrzeug z.B. am Straßenrand. Der Fahrer kann während der Ausführung des MRM 305 die Kontrolle übernehmen oder auch nicht. Er kann auch später, nach erfolgreicher Beendigung des MRM im Zustand 305 die Kontrolle nach Zustand 301 übernehmen.

In Figure 3 the following states are introduced:

• State 301: the vehicle is in a safe state in which the driver can exercise control over the vehicle.
• State 302: the real-time computer system is being monitored by the driver.
• State 303: the real-time computer system is driving the vehicle autonomously.
• State 304: the autonomous real-time computer system is faulty.
• State 305: the autonomous real-time computer system carries out a minimum risk maneuver (MRM) in order to bring the vehicle to a safe state 305. State 304 signifies the failure state during which the MRM is being executed. State 304 begins with the occurrence of the error and ends with the safe state 305. In state 305 the vehicle is, for example, at the edge of the road. The driver may or may not take control while the MRM 305 is running. It can also later, after the MRM has been successfully terminated in state 305, take control of state 301.

There are therefore two safe states, a state 305 without driver control (but the driver can take control) and a second state 301 where the driver is (constantly) in control.

An error 341 occurs if an error has occurred in the vehicle or if the environment of the vehicle no longer corresponds to the intended Operational Design Domain (ODD).

• Ereignis 351: Der Fahrer schaltet das Echtzeitcomputersystem vom sicheren Zustand 301 in den überwachten Betrieb 302 oder der Fahrer schaltet das Echtzeitcomputersystem vom überwachten Betrieb 302 in den sicheren Zustand 301.
• Ereignis 352: Ein Fehler 341 wir durch die Entscheidungskomponente 150 erkannt, da die von der Datenverarbeitungskomponente 121 errechnete Trajektorie nicht in der von der Datenverarbeitungskomponente 132 errechneten sicheren Umhüllung liegt oder weil die Datenverarbeitungskomponente 132 eine ODD-Verletzung erkannt hat. Das Echtzeitcomputersystem schaltet vom überwachten Betrieb 302 in den sicheren Zustand 301, in dem das Fahrzeug vom Fahrer kontrolliert wird.
• Ereignis 353: Der Fahrer schaltet das Echtzeitcomputersystem vom überwachten Betrieb 302 auf autonomen Betrieb 303.
• Ereignis 354: Der Fahrer schaltet das Echtzeitcomputersystem vom sicheren Zustand 301 auf autonomen Betrieb 303 oder der Fahrer schaltet vom autonomen Betrieb 303 auf den sicheren Zustand 301.
• Ereignis 355: Ein Fehler 341 wird durch die Entscheidungskomponente 150 erkannt, da die von der Datenverarbeitungskomponente 121 errechnete Trajektorie nicht in der von der Datenverarbeitungskomponente 132 errechneten sicheren Umhüllung liegt oder weil die Datenverarbeitungskomponente 132 eine ODD-Verletzung erkannt hat. Das Echtzeitcomputersystem schaltet vom autonomen Betrieb 303 in den Fehlzustand 304.
• Ereignis 356: Das Echtzeitcomputersystem informiert den Fahrer über den eingetretenen Fehlzustand 304.
• Ereignis 357: Der Fahrer übernimmt die Kontrolle und führt das Echtzeitcomputersystem vom Fehlzustand 304 in den sicheren Zustand 301.
• Ereignis 358: Das Echtzeitcomputersystem schaltet ein Minimum Risk Manöver (MRM) ein und bringt die Notfalltrajektorie, die von der Datenverarbeitungskomponente 143 ermittelt wurde, zur Anwendung, um das Fahrzeug in den sicheren Zustand 305 zu bringen.
• Ereignis 359: Der Fahrer übernimmt die Kontrolle Fahrzeugs aus dem Zustand 305.

A state transition is triggered by an event. In Figure 3 the following state transitions have been introduced:

• Event 351: The driver switches the real-time computer system from the safe state 301 to the monitored operation 302 or the driver switches the real-time computer system from the monitored operation 302 to the safe state 301.
• Event 352: An error 341 is recognized by the decision component 150 because the trajectory calculated by the data processing component 121 is not in the secure enclosure calculated by the data processing component 132 or because the data processing component 132 has recognized an ODD violation. The real-time computer system switches from monitored operation 302 to safe state 301 in which the vehicle is controlled by the driver.
• Event 353: The driver switches the real-time computer system from monitored operation 302 to autonomous operation 303.
• Event 354: The driver switches the real-time computer system from the safe state 301 to autonomous operation 303 or the driver switches from the autonomous operation 303 to the safe state 301.
• Event 355: An error 341 is recognized by the decision component 150 because the trajectory calculated by the data processing component 121 is not in the secure enclosure calculated by the data processing component 132 or because the data processing component 132 has recognized an ODD violation. The real-time computer system switches from autonomous operation 303 to fault state 304.
• Event 356: The real-time computer system informs the driver about the malfunction 304 that has occurred.
• Event 357: The driver takes control and leads the real-time computer system from the faulty state 304 to the safe state 301.
• Event 358: The real-time computer system activates a minimum risk maneuver (MRM) and uses the emergency trajectory that was determined by the data processing component 143 in order to bring the vehicle into the safe state 305.
• Event 359: The driver takes over control of the vehicle from state 305.

By separating the functions of the calculation of a trajectory by the insecure data processing component 121, the checking of the security of the calculated trajectory by the insecure data processing component 121, the calculation of a Emergency trajectory through the insecure data processing component 143 and the decision-making as to whether an error is present through the simple decision component 150, the real-time computer system is considerably simplified [Kop19].

The present disclosure presents a safe solution for automating a vehicle or a machine and is therefore of great economic importance.

In particular, the invention makes it possible that all data processing components can be supplied with sensor data from the same sensors, that is, not every data processing component requires its own sensors, whereby the costs for a real-time computer system according to the invention can be significantly reduced. At the same time, however, the safe automation of a machine or a vehicle is ensured.

A possible technical implementation of a time server (referred to above with “115”), as it can be used in the present invention, is shown below.

• bi-direktionaler Kommunikationskanal: Ein Kommunikationskanal, auf dem Nachrichten in beide Richtungen übertragen werden können.
• Computer eines Echtzeitsystems: Einer der Vielzahl von Computern des verteilten Echtzeitcomputersystem, der vom Zeitserver Synchronisationsnachrichten empfängt. Synonym zu externer Empfänger.
• Empfänger einer Nachricht (Synchronisationsnachricht): Komponente des Zeitservers, welche die Nachricht von einer anderen Komponente dieses Zeitservers erhält.
• externe Synchronisationsnachricht: Eine Synchronisationsnachricht zur Synchronisation der Uhren außerhalb eines Zeitservers. Eine externe Synchronisationsnachricht muss erfindungsgemäß fail-silent sein, d.h. sie ist entweder richtig oder wird als unrichtig erkannt. Die Fehlererkennung einer im Wertebereich unrichtigen Synchronisationsnachricht kann durch die Überprüfung einer elektronischen Unterschrift, die in der externen Synchronisationsnachricht enthalten ist, erfolgen.
• externer Empfänger: jeder Computer des verteilten Echtzeitcomputersystems, dessen Uhr durch externe Synchronisationsnachrichten, die periodisch vom Zeitserver gesendet werden, mit der globalen Zeit synchronisiert wird.
• externer Empfangszeitpunkt: Der a priori festgelegte Zeitpunkt, zu dem eine korrekte/richtige externe Synchronisationsnachricht beim externen Empfänger eintrifft und der in einer Payload der externen Synchronisationsnachricht enthalten ist.
• externer Synchronisationszeitpunkt: ein periodisch wiederkehrender Zeitpunkt, der im Rahmen des Systementwurfs festgelegt wird und zu dem eine externe Synchronisationsnachricht von einer Komponente des Zeitservers zu einer anderen internen Komponente des Zeitservers gesendet wird. Die externe Synchronisationsnachricht wird genau nur dieser einen internen Komponente zugesendet, wobei letztere außerdem von keinen anderen internen Komponenten des Zeitservers externe Synchronisationsnachrichten erhält. Die (interne) Übertragung der externen Synchronisationsnachrichten zwischen zwei Komponenten des Zeitservers erfolgt direkt über eine Kommunikationsleitung, welche die beiden Komponenten direkt, ohne den Umweg über andere Komponenten verbindet.
• Fehlerhypothese: Die Annahmen über die zu tolerierenden Fehler in einem fehlertoleranten Computersystem [Kop11, S. 154].
• fehlertoleranter Uhrensynchronisations-Algorithmus: Ein Algorithmus zur fehlertoleranten Synchronisation der Uhren in einem Verteilten Computersystem [Kop11, S.69].
• festgehaltener Empfangszeitpunkt: Der Zeitpunkt des Empfangs einer externen Synchronisationsnachricht, gemessen mit der Uhr des externen Empfängers. Die Genauigkeit der Messung des festgehaltene Empfangszeitpunkt kann durch einen Hardwaremechanismus verbessert werden.
• Globale Zeit: Die vom Zeitserver übermittelte Zeit, deren entsprechende Ticks bei allen externen Empfängern innerhalb einer definierten Präzision liegen (siehe [Kop11, S. 55] zum Begriff der Präzision).
• GPS Zeit: Ein weltweites, mit der SI Sekunde synchronisiertes Zeitsignal, das vom GPS System ausgestrahlt wird und von einem GPS Empfänger empfangen werden kann [Dan97].
• GPS Empfänger (Receiver): Eine elektronische Baueinheit, die Satellitensignale von GPS Satelliten empfängt und die ein Zeitsignal (ausgedrückt in SI Sekunden) an den Zeitserver, insbesondere an die an den GPS Empfänger angeschlossenen Komponenten des Zeitservers übergibt [Dan97].
• gültige externe Synchronisationsnachricht: Eine externe Synchronisationsnachricht ist gültig, wenn der Inhalt der Nachricht mit der in der Nachricht enthaltenen Signatur übereinstimmt.
• interne Synchronisationsnachricht: Eine Synchronisationsnachricht zur internen Synchronisation der Tick-Zähler der Komponenten innerhalb eines Zeitservers. Interne Synchronisationsnachrichten werden zwischen den internen Komponenten eines Zeitservers übertragen.
• interner Synchronisationszeitpunkt: ein periodisch wiederkehrender Zeitpunkt, der im Rahmen des Systementwurfs festgelegt wird und zu dem eine interne Synchronisationsnachricht gesendet wird.
• Kommunikationskontroller: die Baueinheit innerhalb eines Computers, welche die Verbindung zwischen einem externen Kommunikationskanal und dem Speicher des Computers herstellt und die die Abwicklung des Kommunikationsprotokolls vornimmt.
• Komponente: Ein Computer mit einem Oszillator, einen Tick-Zähler und der notwendigen Software innerhalbe des Zeitservers.
• SI-Sekunde: Internationaler Standard der Sekunde [Tay01].
• Start-up Nachricht: Eine Nachricht innerhalb des Zeitservers zur internen Uhrensynchronisation, die in der Start-up Phase gesendet wird.
• Start-up Phase: Ein Zeitintervall unmittelbar nach dem Power-up der internen Komponenten des Zeitservers. Während der Start-up Phase werden die Tick-Zähler der Komponenten mittels eines zentralen Master Algorithmus [Kop11, S.68] synchronisiert.
• unabhängige Kommunikationskontroller des Zeitservers: zwei Kommunikationskontroller des Zeitservers sind unabhängig, wenn sie auf bzw. in unterschiedlichen internen Komponenten angeordnet sind.
• Zeitserver: Ein Apparat bzw. eine Vorrichtung, umfassend mindestens vier Komponenten zum Aufbau einer fehlertoleranten globalen Zeit.

The following definitions of terms are used, which basically apply within the scope of the entire present disclosure Figures 4 - 8 are valid:

• bi-directional communication channel: A communication channel on which messages can be transmitted in both directions.
• Real-time system computer : One of the plurality of computers in the distributed real-time computer system that receives synchronization messages from the time server. Synonymous with external recipient.
• Recipient of a message (synchronization message): component of the time server that receives the message from another component of this time server.
• External synchronization message : A synchronization message for synchronizing the clocks outside of a time server. According to the invention, an external synchronization message must be fail-silent, ie it is either correct or is recognized as incorrect. The error detection of a synchronization message that is incorrect in the value range can take place by checking an electronic signature that is contained in the external synchronization message.
• external receiver : any computer in the distributed real-time computer system whose clock is synchronized with global time by external synchronization messages sent periodically by the time server.
• External reception time : The time specified a priori at which a correct / correct external synchronization message arrives at the external recipient and which is contained in a payload of the external synchronization message.
• External synchronization point in time: a periodically recurring point in time that is defined as part of the system design and at which an external synchronization message is sent from one component of the time server to another internal component of the time server. The external synchronization message is only sent to this one internal component, the latter also not receiving external synchronization messages from any other internal components of the time server. The (internal) transmission of the external synchronization messages between two components of the time server takes place directly via a communication line, which connects the two components directly, without the detour via other components.
• Fault hypothesis : The assumptions about the faults to be tolerated in a fault-tolerant computer system [Kop11, p. 154].
• fault-tolerant clock synchronization algorithm : An algorithm for fault-tolerant clock synchronization in a distributed computer system [Kop11, p.69].
• Recorded time of receipt: The time of receipt of an external synchronization message, measured with the clock of the external recipient. The accuracy of the measurement of the recorded time of reception can be improved by a hardware mechanism.
• Global time : The time transmitted by the time server, the corresponding ticks of which are within a defined precision for all external recipients (see [Kop11, p. 55] on the term precision).
• GPS time: A worldwide time signal, synchronized with the SI second, which is transmitted by the GPS system and can be received by a GPS receiver [Dan97].
• GPS receiver (receiver) : An electronic component that receives satellite signals from GPS satellites and that transmits a time signal (expressed in SI seconds) to the time server, in particular to the time server components connected to the GPS receiver [Dan97].
• Valid external synchronization message: An external synchronization message is valid if the content of the message matches the signature contained in the message.
• Internal synchronization message : A synchronization message for the internal synchronization of the tick counters of the components within a time server. Internal synchronization messages are transmitted between the internal components of a time server.
• Internal synchronization point in time: a periodically recurring point in time that is defined as part of the system design and at which an internal synchronization message is sent.
• Communication controller: the structural unit within a computer which establishes the connection between an external communication channel and the computer's memory and which handles the communication protocol.
• Component: A computer with an oscillator, a tick counter and the necessary software within the time server.
• SI second: International standard of the second [Tay01].
• Start-up message : A message within the time server for internal clock synchronization, which is sent in the start-up phase.
• Start-up phase : A time interval immediately after the power-up of the internal components of the time server. During the start-up phase, the tick counters of the components are synchronized using a central master algorithm [Kop11, p.68].
• Independent communication controllers of the time server : two communication controllers of the time server are independent if they are arranged on or in different internal components.
• Time server : An apparatus or a device comprising at least four components for setting up a fault-tolerant global time.

Figure 4 FIG. 11 shows a time server 1100 with four components 1110, 1120, 1130, 1140 , a first component 1110 , a second component 1120, a third component 1130 and a fourth component 1140.

The first component 1100 is with each of the other three components, ie with the second, third and fourth component 1120, 1130, 1140, the second component 1120 with each of the other three components (first, third and fourth) 1100, 1130, 1140, the third component 1130 with each of the other three components (first, second and fourth) 1100, 1120, 1140 and the fourth component 1140 with each of the other three components (first, second, third) 1100, 1120, 1130 via one bi-directional each Communication channel 1190, 1111, 1121 connected to the transmission of messages by means of internal communication controllers 1193 of the respective components.

In Figure 4 a distinction is made between two types of messages, internal synchronization messages 1191 and external synchronization messages 1192. The external synchronization messages 1192 are preferably signed.

In the example according to Figure 4 each component has three internal communication controllers 1193 . The three internal communication controllers 1193 one Components are able to transport internal synchronization messages 1191 in both directions (bi-directional).

Furthermore, in the example shown, the second and fourth components 1120, 1140 each have a so-called "external" communication controller 1194. These two external communication controllers 1194 can preferably only transport the external synchronization messages 1192 in one direction (unidirectional) - in that direction from the time server to the external recipients of the distributed real-time computer system.

Both the internal synchronization messages 1191 and the external synchronization messages 1192 can be transmitted via the internal communication channels 1190 between the components 1100 and 1120, as well as the components 1130 and 1140.

An external communication controller 1194 can also send the external synchronization messages 1192 to its external receivers over a wireless radio channel. However, it must be ensured that the two communication controllers 1194 transmit the two external synchronization messages 1192 at the same time, for example on different frequency bands.

Each of the four components 1100,1120,1130,1140 of the Figure 4 has an internal computer with an oscillator and a local tick counter, as well as software that executes a clock synchronization algorithm. After switching on a component, the power-up, an initialization routine is initiated which initializes the local tick counter of each component with the value zero. The value of the local tick counter is increased by 1 per period of the oscillator.

After the power-up , the start-up phase of the time server begins. During the start-up phase, an excellent component, e.g. component 1100, takes on the role of a central time master. The time master sends an internal start-up message 1191 with the content of your local tick counter at the time of sending via its three internal communication controllers 1193 to the other three components 1120, 1130, 1140 at the same time. Each (component-internal) receiver 1120, 1130, 1140 of the startup message corrects the tick counter contained in the startup message by an a priori known one Transport delay of the start-up message and writes this corrected value in its tick counter. At this point in time, the local tick counters of all clocks are now synchronized. The time at which an incoming message arrives in a component can be precisely recorded through the use of supporting hardware mechanisms.

As part of a system design - a priori - periodic internal synchronization times are specified at which the local tick counters of the components are corrected in order to correct the deviations in their clocks that occurred in the time interval between two internal synchronization times.

Each of the four components sends an internal synchronization message 1191 at each internal synchronization point in time via its three internal communication controllers 1193 to all other components of the time server. An internal synchronization message 1191 contains the status of the local tick counter of the respective sender at the time of sending in the payload.

Each recipient of an internal synchronization message 1191 records the status of its local tick counter at the time of receipt of the internal synchronization message 1191 (preferably by hardware mechanisms in the communication controller 1193 ).

Corresponding Figure 4 each component contains three internal synchronization messages 1191 via the three internal communication controllers 1193 . For example, the first component 1100 receives an internal synchronization message from each of the components 1120, 1130, 1140.

Each component determines the time differences between the transmission times contained in the internal synchronization messages and the recorded reception times, corrected for the a priori known delays of the internal synchronization messages, and transfers these time differences to a fault-tolerant clock synchronization algorithm. In Figure 4 Thus, the clock synchronization algorithm in the first component 1100 has four time differences available, three from the messages of the component 1120, 1130 and 1140, as well as the time difference zero from Tick counter of component 1100. (Component 1100 assumes that it is correct .)

In detail, at a priori defined periodic, internal synchronization times, each of the four components 1110, 1120, 1130, 1140 sends an internal synchronization message containing the status of its local tick counter at the time the internal synchronization message was sent to the other three components at the same time Each recipient of an internal synchronization message records the status of his local tick counter at the time of receipt of the internal synchronization message, and the time difference between the transmission time contained in the internal synchronization message and the recorded time of receipt of the internal synchronization message, corrected by the a priori known delay of the internal synchronization message , determined, and each internal computer of a component from these time differences in accordance with a fault-tolerant clock synchronization algorithm a correction term for the component in its component The tick counter contained is determined and the reading of the local tick counter is corrected by this correction term, and two of the four components, for example the first component 1110 and the third component 1130 , each have an external synchronization message 1192 that contains an a priori external reception time of this Contains external synchronization message, both external synchronization messages contain the same external reception time, and these external synchronization messages at the same time at a priori defined periodic external synchronization times each via a communication channel 1190 directly to one of the other components 1120, 1130, but not to the same of the other two components , send, for example, the first component 1110 to the second component 1120 and the third component 1130 to the fourth component 1140.

• und falls dies nicht der Fall ist, die externe Synchronisationsnachricht verwirft,
• und falls dies der Fall ist, die externe Synchronisationsnachricht über einen externen Kommunikationskontroller 1194 der Komponente 1120, 1140 an einen externen Empfänger zu einem, insbesondere a priori festgelegten Zeitpunkt, der sicher stellt, dass die externe Synchronisationsnachricht zu dem in der externen Synchronisationsnachricht enthaltenen externen Empfangszeitpunkt beim externen Empfänger eintrifft, weiterleitet,

und wobei jeder externe Empfänger den Zeitpunkt des Empfangs der ersten eintreffenden externen Synchronisationsnachricht mit seiner lokalen Uhr festhält und anschließend den Stand seiner lokalen Uhr um die Differenz zwischen dem festgehaltenen Zeitpunkt des Empfangs der externen Synchronisationsnachricht und dem in der externen Synchronisationsnachricht enthaltenen externen Empfangszeitpunkt korrigiert.Each of the components 1120, 1140 of the time server 1100 , to which an external synchronization message was sent, checks whether the external reception time contained in the received external synchronization message, measured against the status of its local tick counter at the time of receipt of the external synchronization message, is set as it is specified by a priori planning of the external synchronization time and the external reception time,

• and if this is not the case, discards the external synchronization message,
• and if this is the case, the external synchronization message via an external communication controller 1194 of the component 1120, 1140 to an external receiver at a time, in particular a priori determined time, which ensures that the external synchronization message is received at the external reception time contained in the external synchronization message arrives at the external recipient, forwards,

and wherein each external receiver records the time of receipt of the first incoming external synchronization message with its local clock and then corrects the status of its local clock by the difference between the recorded time of receipt of the external synchronization message and the external time of receipt contained in the external synchronization message.

Fault-tolerant clock synchronization algorithms are described in detail in the specialist literature [eg Kop11, p. 69]. A fault-tolerant clock synchronization algorithm is executed in each component and determines a correction value for the own clock from the totality of the determined time differences of all clocks. The tick counter of your own clock is corrected with this correction value. The term of the precision of an ensemble describes the precision of the internal synchronization [Kop11, p. 55].

As part of the system design, periodic external synchronization times and corresponding times of receipt of an external synchronization message 1192 are specified at an external receiver. An external synchronization message 1192 contains in its payload the planned time of receipt of this message by the external recipient and preferably an electronic signature ( signature ) of the sender , ie the creator of the external synchronization messages 1192 (in the present case these are components 1100, 1130 ). It is assumed that the sender's electronic signature cannot be forged.

An external synchronization message 1192 can also contain information about the internal status of a component in its payload.

The periodic synchronization times of the external synchronization messages should preferably be selected so that the time interval between two

Synchronization messages corresponds to a (negative) power of the SI second. This time difference can be derived from the GPS time, which uses the SI second as the basis for time counting. If the external synchronization messages are synchronized with the GPS time, the time base of the distributed computer system is synchronized worldwide with all other computers that are based on the GPS time

Figure 5 FIG. 13 shows a real-time computer system with four computers 1210, 1220, 1230, 1240, which are provided with a fault tolerant time server according to FIG Figure 4 are connected. The first component 1100 of the time server 1100 according to FIG Figure 4 sends an external synchronization message 1192 intended for the computers 1210, 1220, 1230, 1240 via its internal communication controller 1193 to the internal communication controller 1193 of the second component 1120. The second component 1120 checks the correctness of the external reception time contained in the external synchronization message. This external time of reception is valid if the status of the clock of component 1120 at the time of receipt of the external synchronization message lies within an interval defined a priori before the external time of reception which is contained in the external synchronization message. If the external synchronization message is not valid, it is discarded. Otherwise, the external synchronization message is sent from the second component 1120 via its unidirectional external communication controller 1194 to the computers 1210, 1220, 1230, 1240 at a time which ensures that the message is received by the computers 1210 at the time contained in the external synchronization message , 1220, 1230, 1240 arrives. The second component 1120 cannot change the external reception time contained in the external synchronization message, since, for example, this external synchronization message is signed by the first component 1100.

Applied to the example Figure 1 the time server 1100 corresponds to the time server 115 Figure 1 . By means of the two communication controllers 1193, 1194, the time server is connected to a real-time communication system (110, 111 in Figure 1 ) tied together. Each of the real-time communication systems 110, 111 is made up of the components 101, 102, 103, 121, 132, 143 Figure 1 connected (these correspond to computers 1210, 1220, 1230, 1240).

The fourth component 1140 carries out the method described above simultaneously with regard to the second external synchronization message 1192 and sends it to the computers 1210, 1220, 1230, 1240 of the real-time computer system.

The fourth component 1140 receives the external synchronization message 1192 internally from the third component 1130.

In general, it is preferable that two components (here the second and fourth components) send an external synchronization message to the outside at the same time. Each of these two components receives the external synchronization message internally from another - and only from this - component, e.g. the second component receives this from the first component (and only from this) and the fourth component receives this from the third component (and only of this). The component that generates the external synchronization message and sends it internally to the component assigned to it preferably signs this external synchronization message.

In the in Figure 4 It would also be conceivable that internally the first component sends the external synchronization message (only) to the fourth component and the third component sends the external synchronization message (only) to the second component.

It is clear to a person skilled in the art that it could of course also be provided that other components (e.g. first and second components) also send the external synchronization messages in pairs to external, and they internally send the external synchronization messages from the other two components, e.g. from the third component and from the fourth component.

Figure 5 shows four external receivers 1210, 1220, 1230, 1240 of the distributed real-time computer system, whose clocks are supplied with the global time by the fault-tolerant time server 1100. Each of these four external receivers receives two external synchronization messages via the two independent external communication controllers 1194 from the corresponding components 1120, 1140 of the time server 1100 within the precision around the time of reception contained in the external synchronization message.

An external synchronization message arriving at an external recipient is valid if the content of the message matches a signature contained in the message.

The difference between the time of arrival of the first valid external synchronization message 1192 recorded by the external receiver and the time of receipt contained in the first valid external synchronization message 1192 is used to set the status of the clock of the external receiver to the received global time. The second external synchronization message 1192 arriving later is discarded by the external receiver because it may have been inadmissibly delayed by a faulty sender (for example, by a faulty component 1120).

The fault hypothesis of a fault-tolerant system indicates which type of faults are tolerated by the system [Kop11, p. 145]. In the present case, it is assumed that each component of the time server forms an independent fault containment unit (FCU) and that each FCU can fail as required, ie the type of fault of an FCU is not restricted. Furthermore, it is assumed in the error hypothesis that only one component of the time server is defective during operation.

If one of the four components of the time server 1100 becomes faulty, this fault is masked by the proposed system architecture of the time server. For example, if component 1100 of the Figure 4 is faulty and sends an external synchronization message 1192, which is intended for the external recipients 1210, 1220, 1230, 1240 , to the component 1120 at an incorrect point in time, the component 1120 will recognize the message as faulty and discard it. The second external synchronization message 1192, which is intended for the external receivers 1210, 1220, 1230, 1240 , originates from the third component 1130 and is checked by the fourth component 1140. Since, according to the error hypothesis, only one component - in this case component 1100 - can be defective, the second synchronization message will arrive correctly at the external receivers 1210, 1220, 1230, 1240 .

If the checking component delays an external synchronization message 1192 due to an error, this external synchronization message is sent after the other valid external synchronization message 1192 at the external recipient arrive and discarded by the external recipient. If a checking component changes the content of an external synchronization message 1192 , the external synchronization message 1192 becomes invalid and is discarded by the external recipient.

Figure 6 FIG. 11 shows a time server 1100 in which the communication channel 1111 between the first and fourth components 1100, 1140 of FIG Figure 7 and the communication channel 1121 between the second and third components 1120, 1130 of FIG Figure 7 miss. By omitting these two communication channels, four internal communication controllers 1193 and two signal lines can be saved. The price to offset these savings is the introduction of a two-stage transmission of the internal synchronization messages. For example, an internal synchronization message must be sent from the first component 1100 to the fourth component 1140 in the first stage from the component 1100 to the component 1120 and in the second stage from the component 1120 to the component 1140. The additional time delay caused by this two-stage transmission process must be corrected in the receiving component 1140.

Figure 7 shows a time server 1100 with a GPS receiver 1150 for synchronizing the global time with the GPS time. The GPS signal of the Global Positioning System contains a world-wide synchronized time signal with a precision of better than 100 nsec. With this signal, the global time of the external receivers can be synchronized worldwide.

It is advantageous if the components of the time server that take over the time signal from GPS receiver 1150 check this time signal for plausibility. For example, the dynamics of the field strength of the incoming GPS signals can be monitored, or a sudden change in the time offered can be determined in order to detect an intrusion.

The time server can also have sensors for measuring the environmental parameters in order to compensate for the drift rate of the oscillators caused by these environmental parameters. Examples of such environmental parameters are temperature T, barometric pressure B, and humidity H, which can be detected with corresponding sensors 1181 , 1182, 1183 , as exemplified in FIG Figure 8 (based on a time server 1100 as in Figure 7 shown) is shown.

It goes without saying that the implementation of such sensors also with time servers as in Figure 4 or 6th may be provided shown.

Alternatively or additionally, a GPS receiver can also be used with a time server as in Figure 4 or 6th be implemented as shown.

It can be provided that an external synchronization message 1192 contains a further data field in which data about the internal status of the time server 1100 is published in order to give an external monitoring system the opportunity to use the external synchronization messages 1192 to check the internal function of the time server. These data can relate to the measured time differences, the calculated correction value for the global time or the field strength of the GPS receiver.

In general, ie also for all embodiments of the invention, it is advantageous that the time server is made up of two subsystems, each subsystem having a component 1100, 1130, which generates (and preferably signs) external synchronization messages, as well as a further component 1120 , 1140, which receives this external synchronization message generated by the other component of its subsystem, the latter component of each subsystem sending the external synchronization message to an external receiver. This system structure has the advantage that the subsystems can be arranged at different locations. The failure of a subsystem can be tolerated.

Each subsystem preferably has its own GPS receiver and / or its own power supply.

Literature cited:

• [Kop11] Kopetz, H. Real-Time Systems - Design Principles for Distributed Embedded Applications. Springer Verlag. 2011
• [Kop19] Kopetz, H. Simplicity is Complex-Foundations of Cyber-physical System Design. Springer Verlag. 2019
• [Pea80] Pease, M., R. Shostak, & L. Lamport, Reaching Agreement in the Presence of Faults. Journal of the ACM,. 27(2): p. 228-234. 1980 .
• [Dvo09] Dvorak, D.L. Editor. NASA Study on Flight Software Complexity. Final Report. Jet Propulsion Laboratory, Pasadena, Cal. USA. 2009 .
• [Dan97] Dana, P.H. Global Positioning System (GPS) Time Dissemination for Real-Time Applications. Real-Time Systems. Vol 12. No. 1., pp. 9-40. 1997 .
• [Tay01] Taylor, B. Ed. The International System of Units. NIST Special Publication 130. 2001 Edition. National Institute of Standards and Technology (NIST). US Department of Commerce. 2001 .

ISO standard ISO 26262 on functional safety

• [Kop11] Kopetz, H. Real-Time Systems - Design Principles for Distributed Embedded Applications. Springer publishing house. 2011
• [Kop19] Kopetz, H. Simplicity is Complex-Foundations of Cyber-physical System Design. Springer publishing house. 2019
• [Pea80] Pease, M., R. Shostak, & L. Lamport, Reaching Agreement in the Presence of Faults. Journal of the ACM ,. 27 (2): p. 228-234. 1980 .
• [Dvo09] Dvorak, DL Editor. NASA Study on Flight Software Complexity. Final report. Jet Propulsion Laboratory, Pasadena, Cal. UNITED STATES. 2009 .
• [Dan97] Dana, PH Global Positioning System (GPS) Time Dissemination for Real-Time Applications. Real-time systems. Vol 12. No. 1., pp. 9-40. 1997 .
• [Tay01] Taylor, B. Ed. The International System of Units. NIST Special Publication 130. 2001 Edition. National Institute of Standards and Technology (NIST). US Department of Commerce. 2001 .

Claims (11)

Real-time computer system ( 100 ), in particular a distributed real-time computer system, for controlling a technical device, for example a technical installation or a machine, such as a robot or a vehicle, in particular a motor vehicle, the real-time computer system - comprises data acquisition components ( 101 , 102 , 103 ) which are independent of one another, the data acquisition components ( 101 , 102 , 103 ) being set up to acquire sensor data, - as well as data processing components ( 121 , 132 , 143 ) for processing the sensor data,
characterized in that - data acquisition components (101 , 102 , 103 ) are insecure components, - The real-time computer system ( 100 ) further comprises a time server ( 115 ) as well as a first communication system ( 110 ) and a second communication system ( 111 ), - wherein the time server ( 115 ) is set up to periodically send global time signals via one or more unidirectional communication lines ( 194 ) to the first communication system ( 110 ) and via one or more unidirectional communication lines ( 195 ) to the second communication system ( 111 ), - The communication systems ( 110 , 111 ) being independent of one another, - and wherein each data acquisition component ( 101 , 102 , 103 ) has at least two, preferably exactly two communication controllers ( 192 ), each data acquisition component ( 101 , 102 , 103 ) with one of the at least two communication controllers ( 192 ) using at least one, preferably exactly a communication line ( 191 ) to the first communication system ( 110 ) and with Another of the at least two communication controllers ( 192 ) is connected to the second communication system ( 111 ) via at least one, preferably exactly one communication line ( 191 ), so that each data acquisition component ( 101 , 102 , 103 ) sends its sensor data to each of the at least two communication systems ( 110 , 111 ) can or transmits, - and wherein each data processing component ( 121 , 132 , 143 ) has at least two, preferably exactly two communication controllers ( 192 ), each data processing component ( 121 , 132 , 143 ) with one of the at least two communication controllers ( 192 ) having at least one, preferably exactly a communication line ( 191 ) is connected to the first communication system ( 110 ) and with another of the at least two communication controllers ( 192 ) via at least one, preferably exactly one communication line ( 191 ) to the second communication system ( 111 ), so that each communication system ( 110 , 111 ) can transmit or transmit the sensor data received from the data acquisition components ( 101 , 102 , 103 ) to each of the data processing components ( 121 , 132, 143), - So that each data processing component ( 121 , 132 , 143 ) can process the received sensor data. Real-time computer system, wherein the time server ( 115 ) is fault tolerant. Real-time computer system according to claim 1 or 2, wherein one, in particular each data processing component (121 ) consists of processing subcomponents, VUK, ( 222 , 223 , 224 ) or comprises VUKs which are set up via a non-redundant, subordinate real-time communication system, a so-called Real-time sub-communication system to exchange real-time data, the real-time sub-communication system or a message distribution unit ( 229 ) of the real-time sub- communication system, which accepts the sensor data transmitted to the data processing component (121 ), has at least two communication controllers ( 192 ), one of the at least two communication controllers ( 192 ) is set up to accept the sensor data from the first communication system ( 110 ) and another communication controller ( 192 ) of the at least two Communication controller ( 192 ) is set up to accept the sensor data from the second communication system ( 111 ), and wherein the real- time sub-communication system or a message distribution unit (229 ) of the real-time sub-communication system comprises a further communication controller (192 ) with which it communicates with a . Real-time computer system according to one of Claims 1 to 3, the at least two communication systems (110, 111) of the real-time computer system being real-time communication systems, in particular time-controlled real-time communication systems. Real-time computer system according to one of claims 1 to 4, wherein the real-time computer system ( 100 ) or the at least two independent communication systems ( 110 , 111 ) is / are set up to transmit the sensor data to at least two or more data processing components ( 121 , 132 , 143 ) without feedback . Real-time computer system according to one of Claims 1 to 5, the connecting lines ( 191 ) between the data acquisition components ( 101 , 102 , 103 ) and / or data processing components ( 121 , 132 , 143 ) on the one hand and the communication systems ( 110 , 111 ) on the other hand being galvanically isolated. Real-time computer system according to one of Claims 2 to 6, a data processing component ( 121 ) directly accessing a sensor ( 261 ) which is only assigned to this data processing component ( 121 ). Real-time computer system according to one of claims 2 to 7, wherein it comprises a decision component (150), and wherein each data capture component (101, 102, 103) is connected to the decision component (150), preferably includes the decision component (150) fault-tolerant hardware to which a simple software is executed. Real-time computer system according to claim 8, wherein a data processing component, which a violation of the assumptions regarding the Identifies the specified Operational Design Domain (ODD) , communicates this to the decision component (150 ). Real-time computer system according to one of claims 1 to 9, wherein functions, in particular all functions of the calculation of a trajectory by a first, in particular insecure data processing component ( 121 ), a check of the security of this calculated trajectory exclusively by a second, in particular insecure data processing component ( 132 ), and the calculation of an emergency trajectory is carried out exclusively by a third, in particular insecure data processing component ( 143 ), and a decision as to whether an error is present is preferably carried out by a preferably simple decision component (150). A method for the automated management of a technical device, for example a technical system or a machine, such as a robot or a vehicle, in particular a motor vehicle, using a real-time computer system, in particular an autonomous real-time computer system according to one of claims 1 to 10, the real-time computer system having different system states , in particular can assume at least the following system states: State 301: the technical device is in a first secure state in which an operator can exercise control over the technical device; State 302: the real-time computer system is monitored by the operator; State 303: the real-time computer system runs the technical device autonomously; State 304: the real-time computer system is faulty; State 305: the technical device in is in a second safe state 305, in which it is brought by the real-time computer system through a minimum risk maneuver (MRM), with the operator not having control over the technical device in the second safe state 305 has, but can take over, wherein a transition between the system states occurs in each case by one or more state transitions, and wherein an error ( 341 ) is caused by the decision component ( 150 ) is recognized, and the real-time computer system switches from autonomous operation (303 ) to the fault state ( 304 ), and the real-time computer system brings the technical device into the safe state ( 305 ) by means of the data processing component (143).

Images